On Fri, Jul 03, 2009, Natanael Mignon - michael-wessel.de wrote:
> Dear list,
>
> regarding the same project as my last question, we are many steps further by
> now.
>
> Situation is as follows: Apache with mod_proxy and mod_ssl authenticates
> Client by certificate including online OCSP request. OCSP uri is correct,
> response is received, but then:
>
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(104): [client
> 172.30.64.154] sending request to OCSP responder
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client
> 172.30.64.154] OCSP response header: Date: Fri, 03 Jul 2009 11:37:54 GMT
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client
> 172.30.64.154] OCSP response header: content-type: application/ocsp-response
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client
> 172.30.64.154] OCSP response header: content-length: 1212
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(208): [client
> 172.30.64.154] OCSP response header: Connection: close
> [Fri Jul 03 12:37:27 2009] [debug] ssl_util_ocsp.c(234): [client
> 172.30.64.154] OCSP response: got EOF
> [Fri Jul 03 12:37:27 2009] [error] SSL Library Error: error:0D06B08E:asn1
> encoding routines:ASN1_D2I_READ_BIO:not enough data
> [Fri Jul 03 12:37:27 2009] [error] [client 172.30.64.154] failed to decode
> OCSP response data
>
>
>
> I have traced the failing call so far:
>
>
>
> Apache ssl_util_ocsp.c:
>
>
>
> response = d2i_OCSP_RESPONSE_bio(bio, NULL);
>
> if (response == NULL) {
> ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
> "failed to decode OCSP response data");
> }
>
>
>
> OpenSSL 0.9.8d crypto/ocsp/ocsp.h:
>
>
>
> #define d2i_OCSP_RESPONSE_bio(bp,p)
> ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
>
>
>
> Here I am really lost. What data is required to decode the response, what
> could be missing? First ideas are corrupt certificates - sounds reasonable
> also, because with a different client certificate issued by a different CA
> and therefore validated against a different OCSP responder everything works
> okay. But what certificates are required for decoding the response data here?
> The OCSP responder's signing certificate?
>
>
> Any help is highly appreciated, thanks in advance!
>
I suggest you check to see if you really get 1212 bytes of data in the
response and log them somewhere. If you post the result it can be analysed to
see if the response is valid.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
